Nmap/nsock based port scanning
Contents
Checking out the code
Checking out the nmap-nsock-scan branch works exactly the same way it does for the rest of the branches. Just run:
svn co 'https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-scan' cd nmap-nsock-scan ./configure make
Getting the reviewable diff
Most of the new code is in nsock_scan.cc. There are also modifications to both the Unix and Windows build system and some extra debug code in timing.cc. I plugged in my new scanning code in nmap.cc. Nsock is also modified, with added TTL and connection lingering support. I also backported Henri's r32877 patch to Nsock . To filter it out of the diff, use the following command line:
git svn clone 'https://svn.nmap.org/nmap-exp/d33tah/nmap-nsock-scan' cd nmap-nsock-scan FIRST_COMMIT=`git log . | grep 'commit' | tail -n1 | cut -d' ' -f2` R32877_COMMIT=`git log --format=oneline . | grep r32877 | cut -f1 -d' '` git diff "$R32877_COMMIT..$R32877_COMMIT^" | patch -Np1 git commit -a -m "Reversing r32877. Don't push this commit." git diff $FIRST_COMMIT.. .
Using the scanner
Currently the nsock scanning starts in only in -sT TCP connect() mode. To run the scan, issue any command that would result in -sT scanning, such as:
nmap -sT scanme.nmap.org nmap scanme.nmap.org # if run without privileges nmap --unprivileged scanme.nmap.org
To see if the nsock scanner kicked in, add -d to the command line to enable debugging output and look for the following line:
nsock_scan() begins.
What works
| Feature | Status | Automated testing | Comments |
|---|---|---|---|
| Basic port scanning | Implemented | A scan to scanme.nmap.org | There is no probe_bench equivalent implemented. |
| Basic retransmissions | Implemented | Separate scapy script | |
| Probe canaries | Mostly implemented | There is no canary scoring and global canaries | |
| Progress updates | Implemented | Uses a slightly different formula | |
| Congestion control | Mostly implemented | Most of the code is already there, but it does not behave the same way Nmap does | |
| RTT detection | Implemented | Not tested | |
| Rate limit detection | Not implemented | ||
| Linux self-connect bug workaround | Implemented |
Proxy scanning problems
It is currently not possible to use Nsock proxy support for port scanning due to a bug. To trigger it, add the following code after the "nsp_setdevice(nsp, o.device);" line:
if (o.proxy_chain) {
nsp_set_proxychain(nsp, o.proxy_chain);
}
Also, in NsockTCPScanEngine::statusToPortState, find "*should_return = true;" and add the following lines below:
} else if (status == NSE_STATUS_PROXYERROR) {
*port_state = PORT_FILTERED;
*reason_id = ER_NORESPONSE;
If you compiled the code and tried to run it using the "ncat -l --proxy-type http -p 3128 -v & sleep 1 ; ./nmap --proxies http://localhost:3128 -sT localhost", you would get the following error:
nmap: nsock_scan.cc:1023: bool NsockHostScanStats::sendOK(timeval*, long unsigned int*): Assertion `since_last_sent >= 0' failed.
The last_sent is a bit in the future, but if we wanted assume that it's a gettimeofday() problem and reset it to the current time, we could do the following after "assert(when_ok != NULL);":
if (TIMEVAL_BEFORE(*now, last_sent)) last_sent = *now;
Now, we get either a segmentation fault error or the following message:
Trying to delete NSI, but could not find 1 of the purportedly pending events on that IOD.